Active Directory Integrated Squid Proxy

Introduction
This document covers setup of a Squid Proxy which will seamlessly integrate with Active Directory using Kerberos, NTLM and basic authentication for clients not authenticated via Kerberos or NTLM. Authorisation to use the internet is managed by Security Groups in Active Directory by means of LDAP lookup. It is capable of using block and allow lists for site access and restrictions and an optional monitoring section that uses Cyfin Reporter for proxy monitoring.

This guide is an expansion and update to a guide I submitted on HowtoForge and contains some fixes to issues discovered and amendments to incorrect information.

I want to take the opportunity at the start of the guide to thank the Squid developers and the support I received on the mailing list in getting this guide completed. Squid Rules!

Example Environment
For this guide the following examples are utilised - you should update any HIGHLIGHTED TEXT sections with your clients domain, hostnames, IP's etc. where necessary.


 * Network
 * Domain= example.local
 * Subnet = 192.168.0.0/24


 * Proxy Server
 * IP = 192.168.0.10
 * HOSTNAME = squidproxy.example.local
 * Kerberos computer name = SQUIDPROXY-K


 * Windows Server 1
 * IP = 192.168.0.1
 * HOSTNAME = dc1.example.local


 * Windows Server 2
 * IP = 192.168.0.2
 * HOSTNAME = dc2.example.local

Specifications
Most situations will require the proxy to be set up as Debian 6 virtual machine and this guide assumes the use of Debian, Our typical deployment is around 50 users, in this situation the following specifications are required.


 * 10GB Virtual Disk
 * 1 CPU
 * 1024MB RAM (this may be reduced if not using Cyfin Reporter)
 * 8GB / on EXT4
 * 2GB Swap

Prerequisites
Client Windows Computers need to have "Enable Integrated Windows Authentication" ticked in Internet Options &rArr; Advanced settings.

DNS Configuration
On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works.

Check that the proxy is using the Windows DNS Server for name resolution and update accordingly.

Edit the file according to your network.

domain example.local search example.local nameserver 192.168.0.1 nameserver 192.168.0.2

Ping a internal and external hostname to ensure DNS is operating.

Check you can reverse lookup the Windows Server and the local proxy ip from the Windows DNS.

NTP Configuration
Because Kerberos needs to have the time syncronised with Windows Domain Controllers for authentication we configure the proxy to obtain time from them.

vi /etc/ntp.conf

Locate the following section and update the ntp servers as required. If you have more than one Domain Controller or NTP Server you may add multiple lines.

server dc1.example.local server dc2.example.local
 * 1) You do need to talk to an NTP server or two (or three).
 * 2) server ntp.your-provider.example

Restart and test NTP.

invoke-rc.d ntp restart

Run the following ntpq command, you should see output that refers to the Domain Controllers and other NTP Servers which are processed in the order that they appear in the conf file.

{{hc|ntpq -p|    remote           refid      st t when poll reach   delay   offset  jitter

=
================================================================= dc1.example.loc .LOCL. 1 u  32 1024  377    0.463    1.874   9.718 dc2.example.loc 192.168.0.2     2 u  202 1024  377    1.032  -20.487   9.975 -ns2.unico.com.a 11.8.227.119    3 u  200 1024  377   31.844    6.543   6.526 +pond.thecave.ws 18.26.4.105     2 u  321 1024  377   68.729   -3.529   4.643 +fw1.nerdboy.net 210.9.192.50    2 u  528 1024  377   30.292   -0.139  27.056 +cachens1.onqnet 204.152.184.72  2 u  197 1024  377   35.697    0.116   4.991 +ppp154-81.stati 202.147.104.50  3 u  542 1024  377   51.958    0.785  52.403 }}
 * warrane.connect 130.95.179.80   2 u  264 1024  377   15.539    0.921   4.655

Install and Configure Kerberos
Install Kerberos packages

apt-get install krb5-user libkrb53

Setup Kerberos.

cp /etc/krb5.conf /etc/krb5.conf.default cat /dev/null > /etc/krb5.conf vi /etc/krb5.conf

Edit the file replacing the variables with the client's domain and server.

Install Squid 3
We install squid now as we need the squid3 directories available. Squid configuration takes places after authentication is configured.

apt-get install squid3 ldap-utils

Authentication
The Proxy uses 3 methods to authenticate clients, Negotiate/Kerberos, Negotiate/NTLM and basic authentication.

Please read Negotiate Authentication and LDAP authentication on the squid wiki.

Some applications cannot use Kerberos and need to rely on NTLM (notably iTunes). A problem also exists in the order in which the authentication helpers are used, one example is when using IE on a non-domain computer it will fail to negotiate kerberos and will not failover to NTLM or basic authentication, this is regardless of the order in which the helpers are provided. Meaning the user will endlessly receive a popup window requesting authentication.

See this link and this link for further information.

Thankfully squid developer Markus Moeller created a negotiate wrapper around the Kerberos and NTLM helpers that resolves this.

Kerberos
Kerberos utilises msktutil an Active Directory keytab manager (I presume the name is abbreviated for "Microsoft Keytab Utility"). We need to install some packages that msktutil requires.

apt-get install libsasl2-modules-gssapi-mit libsasl2-modules

To make the following code easier to copy and paste run the following command, subsitute the MSKTARCH variable with i386 if necessary.

export MSKTARCH=amd64

Then obtain the msktutil package and install it.

wget -O /var/cache/apt/archives/msktutil_0.4-2_$MSKTARCH.deb "http://fuhm.net/software/msktutil/releases/msktutil_0.4-2_$MSKTARCH.deb" dpkg -i /var/cache/apt/archives/msktutil_0.4-2_$MSKTARCH.deb

Initiate a kerberos session to the server with administrator permissions to add objects to AD, update the username where necessary. msktutil will use it to create our kerberos computer object in Active directory.

It should return without errors. You can see if you succesfully obtained a ticket with:

Now we configure the proxy's kerberos computer account and service principle by running msktutil (remember to update the highlighted values with yours).

Execute the msktutil command as follows:

msktutil -c -b "CN=COMPUTERS" -s HTTP/ squidproxy.example.local -k /etc/squid3/PROXY.keytab \ --computer-name SQUIDPROXY -K --upn HTTP/ squidproxy.example.local --server dc1.example.local --verbose

Pay attention to the output of the command to ensure success, because we are using output you should review it carefully.

Set the permissions on the keytab so squid can read it.

chgrp proxy /etc/squid3/PROXY.keytab chmod g+r /etc/squid3/PROXY.keytab

Destroy the administrator credentials used to create the account.

kdestroy

On the Windows Server reset the Computer Account in AD by right clicking on the SQUIDPROXY-K Computer object and select "Reset Account", then run msktutil as follows to ensure the keytab is updated as expected and that the keytab is being sourced by msktutil from /etc/krb5.conf correctly. This is not completely necessary but is useful to ensure msktutil works as expected.

Then run the following:

msktutil --auto-update --verbose --computer-name squidproxy -k

If the keytab is not found try adding to the command to see if it works and then troubleshoot until resolved or users will not be able to authenticate with Squid.

Add the following to cron so it can automatically updates the computer account in active directory when it expires (typically 30 days). I pipe it through logger so I can see any errors in syslog if necessary. As stated msktutil uses the default /etc/krb5.conf file for its paramaters so be aware of that if you decide to make any changes in it.

The SHELL and PATH variables are there to ensure cron runs properly, change this if you know what your doing.

crontab -e

SHELL=/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 00 4 *   *   *     msktutil --auto-update --verbose --computer-name squidproxy -k | logger -t msktutil
 * 1) m h  dom mon dow   command

Add the following configuration to /etc/default/squid3 so squid knows where to find the kerberos keytab.

vi /etc/default/squid3

KRB5_KTNAME=/etc/squid3/PROXY.keytab export KRB5_KTNAME

NTLM
Install Samba and Winbind

apt-get install samba winbind samba-common-bin

Stop the samba and winbind daemons

invoke-rc.d winbind stop && invoke-rc.d samba stop

Copy the default smb.conf out of the way and edit the smb.conf

cp /etc/samba/smb.conf /etc/samba/smb.conf.default cat /dev/null > /etc/samba/smb.conf vi /etc/samba/smb.conf

local master = no workgroup = EXAMPLE security = ads realm = EXAMPLE.LOCAL winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes

Now join the proxy to the domain.

Start samba and winbind and test acces to the domain invoke-rc.d samba start && invoke-rc.d winbind start

Set Permissions so the proxy user account can read /var/run/samba/winbindd_privileged gpasswd -a proxy winbindd_priv

append the following to cron to regularly change the computer account password - internal note: Need to research if Samba does this automatically.

crontab -e

05 4  *   *   *     net rpc changetrustpw -d 1 | logger -t changetrustpw

Basic
In order to use basic authentication by way of LDAP we need to create an account with which to access Active Directory.

In Active Directory create a user called "Squid Proxy" with the logon name squid@ example.local.

Ensure the following is true when creating the account.


 * User must change password at next logon Unticked
 * User cannot change password Ticked
 * Password never expires Ticked
 * Account is disabled Unticked

Create a password file used by squid for ldap access and secure the file permissions (substitute the word "squidpass" below with your password).

echo 'squidpass' > /etc/squid3/ldappass.txt chmod o-r /etc/squid3/ldappass.txt chgrp proxy /etc/squid3/ldappass.txt

Access Groups
Authorisation to use the internet is managed via Security Groups in Active Directory.

By default the squid account will not be able to query the "memberOf" attribute in AD. Select the top level of your active directory domain in Active Directory Users and Computers, Right click on it and choose properties, Security Tab, Add the squid user and give it read permissions (should happen by default) and allow it to read "This Object and all child objects" (Server 2003) or "This Object and all descendant objects" (Server 2008) by going into Advanced options.

Create the following Security Groups and descriptions in AD and add users to the relevant groups. I suggest adding all your users to Internet Users Standard and then increasing or decreasing their access level by adding them to additional groups. The order of access is from least access to highest. So for example, if a user was a member of Blocked, Standard and Anonymous, Blocked takes priority and they would have no internet access.


 * Internet Users Blocked
 * Description: Members of this group have no internet access


 * Internet Users Restricted
 * Description: Members of this group can access the internet allowed sites only


 * Internet Users Standard
 * Description: Members of this group can access the internet except for blocked sites


 * Internet Users Exception
 * Description: Members of this group can access the internet with exceptions to blocked sites


 * Internet Users Full
 * Description: Members of this group have full internet access


 * Internet Users Anonymous
 * Description: Members of this group have full internet access and no access is logged

Create the associated files on the proxy. Squid will use these to lookup group membership for users.

echo 'Internet Users Blocked' > /etc/squid3/blocked_access.txt echo 'Internet Users Restricted' > /etc/squid3/restricted_access.txt echo 'Internet Users Standard' > /etc/squid3/standard_access.txt echo 'Internet Users Exception' > /etc/squid3/exception_access.txt echo 'Internet Users Full' > /etc/squid3/full_access.txt echo 'Internet Users Anonymous' > /etc/squid3/anonymous_access.txt

Install negotiate_wrapper
Firstly we need to install negotiate_wrapper. Install the necessary build tools.

apt-get install build-essential linux-headers-$(uname -r)

Then compile and install.

cd /usr/local/src/ wget "http://downloads.sourceforge.net/project/squidkerbauth/negotiate_wrapper/negotiate_wrapper-1.0.1/negotiate_wrapper-1.0.1.tar.gz" tar -xvzf negotiate_wrapper-1.0.1.tar.gz cd negotiate_wrapper-1.0.1/ ./configure make make install

squid_ldap_group testing
Add testing section here for squid_ldap_group - Thanks Robert. e.g.

/usr/lib/squid3/squid_ldap_group -R -K -S -b "dc=example,dc=local" -D squid@ example.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g, ou=Security Groups,ou=MyBusiness,dc=example,dc=local ))" -h dc1.example.local EXAMPLE \Username Internet%20Users%20Standard Connected OK

squid.conf
We then setup squid and it's associated config files.

cp /etc/squid3/squid.conf /etc/squid3/squid.conf.default > /etc/squid3/squid.conf vi /etc/squid3/squid.conf

Study and update the following text carefully, replacing the example content with your networks configuration - if you get something wrong your proxy will not work.

cache_mgr cache@example.com auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain= EXAMPLE --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain= EXAMPLE auth_param ntlm children 10 auth_param ntlm keep_alive off auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=example,dc=local" -D squid@ example.local -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.example.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -S -b "dc=example,dc=local" -D squid@ example.local -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g, ou=Security Groups,ou=MyBusiness,dc=example,dc=local ))" -h dc1.example.local acl auth proxy_auth REQUIRED acl BlockedAccess      external memberof "/etc/squid3/blocked_access.txt" acl RestrictedAccess   external memberof "/etc/squid3/restricted_access.txt" acl StandardAccess     external memberof "/etc/squid3/standard_access.txt" acl ExceptionAccess    external memberof "/etc/squid3/exception_access.txt" acl FullAccess         external memberof "/etc/squid3/full_access.txt" acl AnonymousAccess    external memberof "/etc/squid3/anonymous_access.txt" acl allowedsites       dstdomain "/etc/squid3/allowedsites.txt" acl blockedsites       dstdomain "/etc/squid3/blockedsites.txt" acl exceptedsites      dstdomain "/etc/squid3/exceptedsites.txt" acl prioritysites      dstdomain "/etc/squid3/prioritysites.txt" acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 acl Safe_ports port 80         # http acl Safe_ports port 21         # ftp acl Safe_ports port 443        # https acl Safe_ports port 70         # gopher acl Safe_ports port 210        # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280        # http-mgmt acl Safe_ports port 488        # gss-http acl Safe_ports port 591        # filemaker acl Safe_ports port 777        # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow prioritysites http_access deny !auth http_access deny BlockedAccess all http_access allow allowedsites http_access deny RestrictedAccess all http_access allow AnonymousAccess auth http_access allow FullAccess auth http_access allow ExceptionAccess exceptedsites auth http_access deny blockedsites http_access allow StandardAccess auth http_access deny all access_log /var/log/squid3/access.log squid !allowedsites !prioritysites !AnonymousAccess http_port 3128 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid3 refresh_pattern ^ftp:          1440    20%     10080 refresh_pattern ^gopher:       1440    0%      1440 refresh_pattern -i (/cgi-bin/|\?) 0    0%      0 refresh_pattern. 0      20%     4320
 * 1) /etc/squid3/squid.conf Configuration File ####
 * 1) cache manager
 * 1) negotiate kerberos and ntlm authentication
 * 1) pure ntlm authentication
 * 1) provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
 * 1) ldap authorisation
 * 1) acl for proxy auth and ldap authorizations
 * 1)   aclname             acltype  typename activedirectorygroup
 * 1) squid defaults
 * 1) http_access rules
 * 2) allow unrestricted access to prioritysites
 * 1) enforce authentication, order of rules is important for authorization levels
 * 1) prevent access to basic auth prompt for BlockedAccess users
 * 1) DO NOT REMOVE THE FOLLOWING LINE
 * 1) logging
 * 2) don't log allowedsites, prioritysites, AnonymousAccess
 * 1) squid Debian defaults

Create the blocked and allowed sites files and some blocked and allowed sites to them.

touch /etc/squid3/allowedsites.txt touch /etc/squid3/blockedsites.txt touch /etc/squid3/exceptedsites.txt touch /etc/squid3/prioritysites.txt

Some examples of entries (in the blockedsites) might be:

# # # # # ### .youtube.com .facebook.com .twitter.com
 * 1) How to add domains to this file
 * 1)   1.  Use only the domain name EXCLUDING the protocol prefix, i.e.
 * 2)       don't put "http://" at the start.
 * 1)   2.  Do not append a directory to the domain name, i.e. don't put
 * 2)       /index.php/path/blah.html at the end of the name.
 * 1)   3.  Prefix each entry with a single dot ".", this ensures a match of
 * 2)       example.com and www.example.com.
 * 1)   4.  If you need to match different top level domains like .com,
 * 2)       .net, .com.au for sites that have multiple top level domains to
 * 3)       the same website then add a seperate entry for each e.g.
 * 4)           .example.com
 * 5)           .example.com.au

Then restart squid and check for any errors.

invoke-rc.d squid3 restart

Take a look at the logs and  as well to check squid is happy.

Auth Helpers
Create a section in reference to http://www.squid-cache.org/mail-archive/squid-users/201207/0117.html

And guidelines on testing using squidclient

Proxy Auto Configuration
Install Apache2 and the php5 module

apt-get install apache2 libapache2-mod-php5

Add a configuration to Apache2 to identify the file format of the proxy configuration script.

vi /etc/apache2/conf.d/wpad.dat

AddType   application/x-ns-proxy-autoconfig .dat

Create the wpad.dat file

vi /var/www/wpad.dat

Change the line starting with $proxy to your proxy's FQDN and add, remove lines and comments as desired for your network. If you need to allow certain hosts to access the internet direct (bypassing the proxy) update the address or range in the section "Hosts in this range are allowed direct", Some commented out examples are included for reference.

function FindProxyForURL(url, host) {    $proxy = "PROXY squidproxy.example.local :3128"; // If URL has no dots in host name, send traffic direct if (isPlainHostName(host)) return "DIRECT"; // URLs within this network are accessed direct if (isInNet(host, "192.168.0.0", "255.255.0.0"))       {return "DIRECT";} if (isInNet(host, "172.16.0.0", "255.240.0.0"))        {return "DIRECT";} if (isInNet(host, "10.0.0.0", "255.0.0.0"))            {return "DIRECT";} if (isInNet(host, "127.0.0.0", "255.0.0.0"))           {return "DIRECT";} // Terminal server uses the proxy // if (isInNet(myIpAddress, "192.168.0.13", "255.255.255.255" )) return $proxy; // Hosts in this range are allowed direct // if (isInNet(myIpAddress, "192.168.0.0", "255.255.255.224" )) return "DIRECT"; //Return proxy for EVERYTHING else else return $proxy; }

Restart Apache2

invoke-rc.d apache2 restart

Optional: Error Page Logo
Copy a logo file into

Then update with the path to this file

sed -i 's/www.squid-cache.org\/Artwork\/SN.png/ squidproxy.example.local \/proxylogo.gif/g' /etc/squid3/errorpage.css sed -i 's/padding-left: 100px/padding-left: 130px/g' /etc/squid3/errorpage.css

Reload squid3

invoke-rc.d squid3 reload

Group Policies
Place the following file called ieauth.adm in C:\Windows\inf on your DC

CLASS USER CATEGORY !!Components CATEGORY !!IE POLICY !!enableNegotiatePolicy EXPLAIN !!enableNegotiateDesc KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings" VALUENAME "EnableNegotiate" VALUEON "1" VALUEOFF "0" END POLICY END CATEGORY END CATEGORY [strings] Components="Windows Components" IE="Internet Explorer" enableNegotiatePolicy="Enable Integrated Windows Authentication" enableNegotiateDesc="Enable Integrated Windows Authentication"

WPAD DNS entries

 * Users have logged out and in again since you configured and restarted squid.
 * That client browsers are using Integrated Windows Authentication
 * That you have added all users to the relevant Internet Users security groups in AD
 * That all client browsers are set to use automatically detect proxy settings for internet access. Using group policy is a sensible option here or perhaps restrict outbound HTTP access on your firewall to weed out users without auto-detection configured.

Test access with Internet Explorer by Ticking "Use automatic configuration script" and insert http:// squidproxy.example.local /wpad.dat in the address field and then access any websites.

Tail the proxy access logs to verify it is using the proxy.

tail -F /var/log/squid3/access.log

Good luck, I hope it works!

Add a CNAME record in DNS to point wpad.example.local to squidproxy.example.local

To to remove wpad, but leave the Blocklist enabled, run Regedit and open the following location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList

It's likely it wil have the entries of WPAD and ISATAP. Remove the WPAD entry and restart the DNS service for it to reload the Blocklist. You should then be able to resolve wpad.example.local

Then set your browser to use Proxy auto configuration. All modern web browsers follow the wpad standard and will attempt to lookup http://wpad.example.local/wpad.dat for their configuration information.

More information about WPAD can be found here.

Check your squid logs to see that clients are using the proxy.

Optional: List Editing
This allows designated staff to edit blockedsites.txt and whitelistsites.txt via a web browser.

cd /var/www/ wget "http://www.dminnich.com/files/php_simple_fileed.tar.gz" tar -xvzf php_simple_fileed.tar.gz mv /var/www/php_simple_fileed /var/www/lists rm -f /var/www/php_simple_fileed.tar.gz rm -f /var/www/lists/readme.txt mv /var/www/lists/fileed.php /var/www/lists/index.php sed -i 's/Simple File Editor/Proxy List Editor/g' /var/www/lists/index.php sed -i 's/home\/dustin\/public_html/var\/www\/lists/g' /var/www/lists/index.php ln -s /etc/squid3/blockedsites.txt /var/www/lists/ ln -s /etc/squid3/allowedsites.txt /var/www/lists/ ln -s /etc/squid3/exceptedsites.txt /var/www/lists/ chmod 666 /etc/squid3/blockedsites.txt chmod 666 /etc/squid3/allowedsites.txt chmod 666 /etc/squid3/exceptedsites.txt

If you trust user access to prioritysites then you can provide access to this list

ln -s /etc/squid3/prioritysites.txt /var/www/lists/ chmod 666 /etc/squid3/prioritysites.txt

Now add authentication to access the list page

sed -i '0,/AllowOverride None/! {0,/AllowOverride None/ s/AllowOverride None/AllowOverride AuthConfig/}' /etc/apache2/sites-available/default invoke-rc.d apache2 restart

Now setup htaccess.

cat > /var/www/lists/.htaccess <> /etc/incron.allow invoke-rc.d incron restart

Because editors like vim tend to delete the original file and move a temporary file into position after editing them I had to write this script to ensure incron continues to monitor the files we are interested in:

Create a file called and insert the following script, then make it executable.

lists="    /etc/squid3/blockedsites.txt     /etc/squid3/exceptedsites.txt     /etc/squid3/prioritysites.txt     /etc/squid3/allowedsites.txt " for j in ${lists} ; do    [ "${j}" == "${1}" ] && \ { /usr/bin/logger -t squid3-inotify "${j} modified, reloading squid3..." ;        /usr/sbin/invoke-rc.d squid3 reload ; } done
 * 1) !/bin/bash

chmod +x /usr/local/bin/squid3-inotify.sh

Edit incron to perform the reload.

incrontab -e

/etc/squid3 IN_CLOSE_WRITE,IN_MOVED_TO /usr/local/bin/squid3-inotify.sh $@/$#

Optional: Install Cyphin Reporter
With the proxies we operate we need decent reporting. Programs like sarg, mysar etc. were not cutting it as decent reporting options for monitoring user internet usage. Cyfin Reporter by Wavecrest has proven to be a very capable and intuitive reporting system with plenty of features.

This is how to setup and install Cyfin Reporter with squid on Debian Squeeze.

The latest Cyfin Reporter version at the time of writing is version 8.5. Check the following locations depending on your architecture before you download and update the following commands where necessary.

http://downloads.wavecrest.net/release/cyfin/linux32/

http://downloads.wavecrest.net/release/cyfin/linux64/

So your install might look something like this...

cd /usr/local/src/ wget "http://downloads.wavecrest.net/release/cyfin/linux32/v850/c850linux32.bin.gz" gunzip c850linux32.bin.gz chmod +x c850linux32.bin

export PS1=">" ./c850linux32.bin

When prompted about the install path enter it as

ENTER AN ABSOLUTE PATH, OR PRESS  TO ACCEPT THE DEFAULT : /opt/wavecrest/cyfin

Accept everyting else as default

We need to create an initscript to start and stop cyfin

vi /etc/init.d/cyfin


 * 1) ! /bin/sh
 * 2) BEGIN INIT INFO
 * 3) Provides:          cyfin
 * 4) Required-Start:    $network $remote_fs
 * 5) Required-Stop:     $network $remote_fs
 * 6) Default-Start:     2 3 4 5
 * 7) Default-Stop:      0 1 6
 * 8) Short-Description: cyfin reporter initscript
 * 9) END INIT INFO


 * 1) Author: James Robertson 

NAME=cyfin SCRIPTNAME=/etc/init.d/$NAME

. /lib/init/vars.sh
 * 1) Load the VERBOSE setting and other rcS variables

. /lib/lsb/init-functions
 * 1) Define LSB log_* functions.
 * 2) Depend on lsb-base (>= 3.2-14) to ensure that this file is present
 * 3) and status_of_proc is working.

case "$1" in       start)          sh /opt/wavecrest/cyfin/cyfin start        ;;        stop)           sh /opt/wavecrest/cyfin/cyfin stop ;;       status)         sh /opt/wavecrest/cyfin/cyfin start        ;;        restart)        sh /opt/wavecrest/cyfin/cyfin restart ;;       *)              echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2                        exit 3        ;; esac



chmod +x /etc/init.d/cyfin update-rc.d cyfin defaults

Configuring Cyfin Reporter would require a brand new tutorial so here is the basics.

Access the configuration GUI via http://squidproxy.example.local:7999. The logon by default is "admin" for the username and "password" for the password.


 * Use the help in the GUI as the documentation is very good.
 * Check the FAQs at http://www.wavecrest.net/support/cyfin/reporter/faqs.html
 * Use the Quick Start menu to setup the basics, which are fairly straight forward.
 * Enable the Data Manager to import log files and setup a log file import schedule.
 * use the integration into Active Directory, you can use the squid account created for LDAP auth to also extract information from Active Directory.
 * Configure a schedule to import User lists from Active Directory.
 * You should ensure your users are part of a security group or distribution group in Active Directory and add these groups to Cyfin Reporter.
 * Assign the departments Manager as the recipient of email reports.
 * Setup access accounts for staff with permission to view the logs.

If you use Cyfin Reporter you need to account for additional memory usage so be sure to allocate enough resources to run it.

That concludes the documentation.